SeaCat: SDN End-to-End Application Containment

433 views

Published on

This demonstration shows how the SeaCat Application Containment Architecture secures a medical record system applications (OPENMRS) in an end-to-end manner. Using this framework, medical personal can securely access patient medial records from mobile devices without fear that patients/ medical records will accidentally be exposed/compromised by malware. Junguk Cho, David Johnson, Makito Kano and Kobus Van der Merwe, University of Utah

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
433
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SeaCat: SDN End-to-End Application Containment

  1. 1. SeaCat: an SDN End-to-end Application Containment ArchitecTure Enabling Secure Role Based Access To Sensitive Healthcare Data Junguk Cho, David Johnson, Makito Kano, Kobus Van der Merwe and Brent Elieson
  2. 2. Motivation • “Everything” is networked – Nearly all business applications assume network availability • Also true in healthcare – Accessing patient records – Remote diagnoses and consultation – In-home monitoring – Healthcare analytics – Plus “regular” vocational applications • HR/payroll functions, accessing domain specific literature – Plus non vocational use • Browsing the web, social networking etc.
  3. 3. Motivation cont. • Problem: – Same individual, using same device potentially using several of these applications simultaneously – Applications have very different security and performance constraints: • Healthcare records: stringent regulatory privacy and security requirements • In-home patient monitoring: different privacy and security needs + reliability and soft real time guarantees • Web use: no impact on core healthcare applications – Devices are increasingly mobile (tablets, laptops, smartphones) • Often not part of managed and trusted enterprise environment
  4. 4. Motivation cont. • Current approaches, combinations of: – Device scans when new devices attach to network – Run applications on application servers with thin clients on devices – Complex network and server access control policies • Inadequate: – Device with up-to-date patch levels might still contain malware – Application servers with thin clients constrain the type of applications that can be used – Access control policies only deal with access. Provide no protection once data is accessed
  5. 5. Motivation cont. • Problem generalizes to broad range of access to sensitive data • Different sets of regulations/practices – Protected health information (PHI) • HIPAA regulations – Student educational records • FERPA regulations – Federal government work • FISMA regulations – Business requirements • PCI DSS regulations – Institutional requirements • IRB regulations
  6. 6. SeaCat Approach • Combine SDN and application containment: – End-to-end application containment • Non-healthcare apps: – default context • Healthcare app: – dynamic app specific context – app and data contained in this end-to-end context • Treat mobile device as “semi-trusted” SDN domain – Inter-domain SDN interaction to tie in
  7. 7. Threat Model • Concerned with security and performance of health care applications used from variety of devices in a health care environment • Assume healthcare applications can be trusted – different from conventional threat model where device needs to be protected against untrusted applications • Specific concerns: – Unauthorized access • role based authentication and policies – Data leakage • end-to-end application containment – Resource guarantees • context based resource allocation with preemption – Denial of service • resource guarantees plus separation of resources
  8. 8. SeaCat Architecture: Endpoint Containment • Uses lightweight containers – Linux containers • All applications execute in containers: – move “regular apps” into default container • Minimize trusted computing base: – Only SeaCat Trusted Daemon left in root namespace
  9. 9. Motivation cont. • Problem: – Same individual, using same device potentially using several of these applications simultaneously – Applications have very different security and performance constraints: • Healthcare records: stringent regulatory privacy and security requirements • In-home patient monitoring: different privacy and security needs + reliability and soft real time guarantees • Web use: no impact on core healthcare applications – Devices are increasingly mobile (tablets, laptops, smartphones) • Often not part of managed and trusted enterprise environment
  10. 10. SeaCat Architecture: Endpoint Network Containment • SeaCat Trusted Daemon: – Manages endpoint SDN domain • Single switch domain: – Sets up context for default apps – Sets up context for secure apps: based on interaction with enterprise SDN
  11. 11. SeaCat Architecture: Enterprise Network Containment • SeaCat Server: – Manages enterprise SDN domain • Sets up context for secure apps • Includes SDN-enabled WiFi – Interacts with SeaCat trusted daemon in endpoint • Instructs trusted daemon to start secure container • Coordinates SDN across domains
  12. 12. SeaCat Architecture: Putting it all together • Enterprise network treats each mobile endpoint as semi- trusted SDN domain • Secure app user: authenticates using “normal” single-sign-on (SSO) technology – SeaCat server integrated with SSO – Successful authentication triggers: • Creation of app specific SDN context in enterprise • Signaling to endpoint SDN to: – Create secure container – Create endpoint app specific SDN context – Ties to enterprise SDN context • App and data remains in this secure end-to-end context • When app exits: – Complete context is destroyed
  13. 13. SeaCat Workflow/Interaction
  14. 14. Motivation cont. • Current approaches, combinations of: – Device scans when new devices attach to network – Run applications on application servers with thin clients on devices – Complex network and server access control policies • Inadequate: – Device with up-to-date patch levels might still contain malware – Application servers with thin clients constrain the type of applications that can be used – Access control policies only deal with access. Provide no protection once data is accessed
  15. 15. SeaCat Workflow/Interaction
  16. 16. EHR Server Default Context Other Apps Other Apps Other Apps Internet/ Non Healthcare Resources Mobile Endpoint SeaCat Enterprise/Campus Network SeaCat SSO Secure Context 1 2 SeaCat Workflow/Interaction
  17. 17. EHR Server Default Context Other Apps Other Apps Other Apps Internet/ Non Healthcare Resources Mobile Endpoint SeaCat Enterprise/Campus Network SeaCat SSO Secure Context 3 SeaCat Workflow/Interaction
  18. 18. EHR Server Default Context Other Apps Other Apps Other Apps Internet/ Non Healthcare Resources Mobile Endpoint SeaCat Enterprise/Campus Network SeaCat SSO Secure Context 4 5 SeaCat Workflow/Interaction
  19. 19. Motivation cont. • Problem generalizes to broad range of access to sensitive data • Different sets of regulations/practices – Protected health information (PHI) • HIPAA regulations – Student educational records • FERPA regulations – Federal government work • FISMA regulations – Business requirements • PCI DSS regulations – Institutional requirements • IRB regulations
  20. 20. SeaCat Demo • Mobile endpoint: – Linux WiFi-enabled tablet – With SeaCat Trusted Daemon: • Container and SDN management • Enterprise network: – SDN enabled WiFi access point • Tallac Networks • Virtual APs • Mapped to OpenFlow switch – Rest of enterprise SDN emulated in a Mininet instance • Single Sign On (SSO): – Uses Shibboleth SSO – SeaCat (Service Provider) to realize SeaCat functionality • Medical application: – OpenMRS (Medical Record System)
  21. 21. SeaCat Demo WiFi AP Emulated Network HUB Enterprise SDN Controller VIF1 OVS Other Apps Client tablet lxc VIF0 Ryu controller DHCP FLOW MANAGER ETH2 OVS OpenMRS server SSO: SeaCat Service ProviderSSO: Identity Provider ETH3 H1 H2 H3 MININET ETH0 Policy VAP Default VAP OVS ETH0 ETH1 Wireless network Real Ethernet network Virtual Ethernet network Trusted Daemon LXC CONTROLLER OVS CONTROLLER Other Server H4 Enterprise/Campus Network lxc
  22. 22. Status and plans • Have working prototype… • Current focus on access to electronic health records • SeaCat is a general application framework… – other health care apps – other apps that require access to sensitive data • Interested in exploring possibility of trial deployment…

×